For many years, the processors within computing devices, such as laptops, smartphones or tablets, have used global identifiers (IDs) to uniquely identify the device to one or more applications running on the device. Sometimes the operating system will also have this type of global ID. When third-party applications are allowed to run within a computing environment, these applications, for a variety of legitimate reasons, typically request the IDs of the underlying hardware and/or operating system. For example, device-specific IDs may be used to combat fraud, authenticate access to beta versions of applications prior to their official release and power specific mobile advertising networks, among other reasons.
However, providing applications with a global identifier also poses significant and well-known privacy concerns. For example, global identifiers are sometimes used as authentication mechanisms for mobile networks, such as gaming networks. In such cases, if an attacker acquired a user's device-specific ID, the attacker may be able to access a multitude of other personal data, including information about a user's linked social networking site account(s), the user's email address(es) or the user's mobile phone number. Privacy concerns have caused such companies as Intel and Apple to discontinue the use of global IDs. For example, processors developed by Intel after the Pentium III family of processors have not supported processor serial numbers (PSN). As another example, Apple, Inc. began rejecting applications developed by third parties for the iOS platform that request a Unique Device Identifier (UDID).
At the present time, there is no technically and/or commercially viable method by which an application running on a computing device may have access only to its own application-specific ID and/or application-specific keypair. Currently available methods provide a single global ID for all applications, do not protect privacy from malicious applications, or rely on “security by obscurity” to enforce privacy.
What is needed are systems, methods and apparatuses for the secure, application-specific identification of devices that do not allow applications to access global device IDs or global public/private keypairs.